STE WILLIAMS

SMBs understand they have to focus more on cybersecurity. Here’s a look at the areas they say matter most.

Image Source: Shutterstock via Profit_Image

Two recent surveys offer insight into why small to medium-sized businesses (SMBs) are taking security more seriously.

In one study, by Webroot, 600 IT decision makers pinpoint their top concerns (think: phishing and ransomware), as well as areas where they are becoming more relaxed, due largely to increased security awareness and training, as well as much-improved access control management. 

“The press has made people aware of the threat landscape,” says Charlie Tomeo, vice president of worldwide business sales at Webroot. “The bad actors keep coming out with new forms of malware, and everyone is getting hammered. There’s a heightened awareness, and SMBs really know they have to do something.”

The other study, by Kaspersky, examines IT budgets and high-level staffing considerations, given that “most SMBs can’t afford a full-time CISO,” says Jason Stein, vice president of channel at Kaspersky Lab North America.

We talked with both Tomeo and Stein to develop this list of SMB security trends. For more information, check out the Webroot report “Webroot SMB Cybersecurity Preparedness” and the Kaspersky study “On the Money: Growing IT Security Budgets to Protect Digital Transformation Initiatives.” The Webroot study only involves SMBs, while the Kaspersky study covers both SMB and enterprise markets. 

 

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/9-smb-security-trends/d/d-id/1332194?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The most effective hackers keep things simple, something organizations must take into account.

Organizations continue to learn the hard way that when it comes to IT security, the simplest things often cause the biggest problems. A network is only as secure as its weakest link, so hackers don’t need to spend the time and money it takes to develop advanced persistent threats or zero-day attacks; they just need to focus on finding the easiest ways of getting in. In other words, the most effective hackers keep things simple, something organizations must take into account.

With that in mind, here are four basic principles that attackers exploit and companies need to stay on top of in order to secure their network.

1. People Are Almost Your Most-Targeted Link
Hackers looking for a way to infiltrate a network often start with the vulnerabilities of key users — 81% of hacking-related breaches leveraged either stolen and/or weak passwords, according to last year’s Verizon Data Breach Investigations Report. Troubling statistics like this should remind us that people are often the hardest part of the security equation. People are fallible and emotional, which is why even regular security awareness training has its blind spots.

Think about it — how easy is it to make somebody’s emotions take over in today’s world? In the age of connectivity and social networks, it’s easier than ever to find professional, personal, or political information that can allow an attacker to craft personalized lures that trigger a response. Inducing such feelings can often lead to irrational behavior, which in return can be something that can be exploited digitally. Additionally, as the lines blur between personal and professional communication platforms, it is important to make sure that security awareness training, especially when it comes to phishing, translates into the new mediums.

2. Flaws Remain Unfixed
Vendors and researchers don’t always have the same goals or objectives, and security suffers as a result. There have been many cases where a researcher is forced to publish a legitimate vulnerability publicly because a vendor recognizes it as a true security issue when the matter is brought to its attention privately. This leaves gaping holes for attackers to exploit.

Similarly, when the company in charge of updates is not the owner of the piece of code exhibiting a vulnerability, flaws can remain for an extended period. For example, it can take a long time for a cellphone provider to push an update to users after Google fixes an Android security flaw in the OS. Flaws like this will always be present, providing an entry point for even the least-sophisticated attackers to access a network.

3. If There’s a Mistake, Someone Will Find It
As automation continues to be a key outcome of digital transformation, the “good guys” aren’t the only ones to benefit. Attackers are taking advantage of today’s automated world and can easily scan for vulnerabilities. There are numerous public and paid services that allow users to explore the Internet pretty much anonymously, looking for misconfigurations that exist on anything from Internet of Things toasters to government cloud instances.

It’s no longer a question of if somebody will discover your mistake, but when (and more importantly, how long after it’s been exposed). This story played repeatedly in the breaches of 2017. Amazon Web Services’ S3 breach is one example. Attackers found a misconfiguration in AWS’s storage buckets, which allowed public write access, enabling attackers to launch silent man-in-the-middle attacks and other hacks on a company’s customers or internal staff.

It’s important to remember that misconfigurations extend beyond just missing patches and default settings to things like network paths that don’t need to exist, giving sweeping landscapes to monitor.

4. There Is a Security Workforce Shortage
In 2019, there will be a global shortage of 2 million cybersecurity professionals, according to ISACA, a nonprofit information security advocacy group. To compound the challenges caused by this lack of skilled analysts even more, the ones who are on the front lines are asked to do the impossible. They can’t keep up with the barrage of alerts that come from so many sources. The flow is simply too great, and incidents are missed.

When an event is investigated, security teams are using so many internal and external tools, scripts, and conversations to get the relevant context that each investigation is a long and tedious process. This combination of factors is leaving security teams burned out and companies vulnerable.

Once again, hackers are acutely aware of these challenges that organizations face. They know that simple techniques of attack will fly under the radar and may not be scored as a “priority” because analysts are too busy spending their time looking for larger, more complicated threats. It’s why attackers will try to live off the land more and more, using underlying sysadmin tools preinstalled with the operating system.

What Does It All Mean?
In the end, understanding the basic principles that hackers are using to infiltrate your network is an important part of staying one step ahead of them. But remember that even the basics will change over time. The most effective thing you can do to overcome these simple, yet evolving threats is to focus on the people protecting your organization.

These people need to understand their role in securing the environment and the overall impact of the decisions they make. Make sure analysts know what they are protecting and ensure the right controls are in place to stay focused. Finally, be certain that the security teams have the visibility and the tools they need to detect, investigate, and respond quickly and efficiently.

Related Content:

• The 6 Worst Insider Attacks of 2018 – So Far
• Preparing for Transport Layer Security 1.3
• Why Sharing Intelligence Makes Everyone Safer
• Redefining Security with Blockchain

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info. 

David Pearson has been analyzing network traffic for well over a decade, having used Wireshark ever since it was Ethereal. He has spent the majority of his professional career understanding how networks and applications work, currently as Principal Threat Researcher for Awake … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/4-basic-principles-to-help-keep-hackers-out/a/d-id/1332197?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The developers of Gentoo Linux have revealed how it was possible for its GitHub repository to be hacked: someone deduced an admin’s password and perhaps that admin ought not to have had access to the repos anyway.

The distro’s Wiki has added a page describing the incident. It describes the root cause of the incident as follows:

The attacker gained access to a password of an organization administrator. Evidence collected suggests a password scheme where disclosure on one site made it easy to guess passwords for unrelated webpages.

Oops! Sounds like someone has a core password with predictable variations!

The wiki page also reveals that the project got lucky. “The attack was loud; removing all developers caused everyone to get emailed,” the wiki reveals. “Given the credential taken, its likely a quieter attack would have provided a longer opportunity window.”

Also helpful was that “Numerous Gentoo Developers have personal contacts at GitHub, and in the security industry and these contacts proved valuable throughout the incident response.”

But the project’s critical of itself for the following reasons:

• Initial communications were unclear and lacking detail in two areas.
  • How can users verify their tree to be sure they had a clean copy?
  • Clearer guidelines that even if users got bad copies of data with malicious commits, that the malicious commits would not execute.
• Communications had three avenues (www.gentoo.org, infra-status.gentoo.org, and email lists.) Later we added a wiki page (this page) and were inconsistent on where to get updates.
• GitHub failed to block access to the repositories via git, resulting in the malicious commits being externally accessible. Gentoo had to force-push over them as soon as this was discovered.
• Credential revocation procedures were incomplete.
• We did not have a backup copy of the Gentoo GitHub Organization detail.
• The systemd repo is not mirrored from Gentoo, but is stored directly on GitHub.

The project’s fix has a few elements. Two-factor authentication is now on by default in the project’s GitHub Organization and will eventually come to all users the project’s repos. A password policy that mandates password managers is planned. Also on the agenda is a review of who needs access to repos and cleanout of those who don’t, proper backups and an incident plan so that the project won’t need to rely on its luck if it’s popped again. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/05/gentoo_hack_caused_by_weak_password_no_2fa_loose_policies/

Cryptographic key servers are in “direct violation” of the EU’s General Data Protection Regulation, a software developer has claimed.

Michael Drahony (AKA yakamok) has written a program (on GitHub) designed to highlight the potential compliance issues posed by use of PGP as an email encryption utility.

“Currently you cannot remove data from the key servers on request,” Drahony told El Reg in an email. “Any data posted to them propagate to other key servers, making the data immortal in a sense.”

Drahony’s contention is by no means clearcut, but it has sparked a spirited debate among security experts.

Implied consent

Users make a conscious decision to place a public PGP key on a key server, but might the fact data can’t be deleted still be an issue?

The glorious uncertainty: Backup world is having a GDPR moment

READ MORE

The requirement to delete or remove data on request, per GDPR, “only applies when it is practical”, said Martijn Grooten, editor of industry journal Virus Bulletin. “One could maybe argue that it isn’t in this case [of PGP key servers].”

Professor Alan Woodward, a computer scientist and cryptographer from the University of Surrey in England, said that there’s an implied consent to disclose personal information and to be contacted through encrypted email when someone shares their public PGP key.

“If your UID is your name then your name, email and key are visible – it’s kinda the point so can’t imagine ICO would complain,” he commented.

These considerations apply even if an “anonymous” email address is associated with a PGP key. An email address is unique to a person. “It’s still personal data even if you can’t find out who is the person behind it,” Grooten added.

Other experts were inclined to view the whole business as something of a non-issue.

Brian Honan, infosec consultant and founder of Ireland’s CSIRT, commented: “I am not sure what the issue the reader is trying to highlight is. Firstly PGP public keys are on the server and placed there by the key owners. Secondly any server on the internet can be used to host stolen data.” ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/05/pgp_key_servers_gdpr/

London is to get a new court building, billed as a legal centre for tackling cyber and online economic crimes.

The courthouse, to be built on the site of Fleetbank House, just off the capital’s Fleet Street, will have 18 courtrooms and house the Business and Property Court list of the High Court’s Chancery Division.

In addition, the building will house the Central London County Court, which currently sits in the Royal Courts of Justice up the road from Fleet Street, and criminal cases from the City of London Magistrates’ Court, which is built on a prime slice of real estate slap bang on top of Bank underground station.

A new station for the City of London Police, the Square Mile’s tiny force which mainly focuses on economic crimes, will also form part of the new building.

“This state-of-the-art court is a further message to the world that Britain both prizes business and stands ready to deal with the changing nature of 21st century crime,” said Justice Secretary David Gauke in a canned quote.

Catherine McGuinness, policy chairman of the Corporation of London, chipped in to add: “I’m particularly pleased that this court will have a focus on the legal issues of the future, such as fraud, economic crime, and cyber-crime.”

Most high-profile British cybercrime cases are started in Westminster Magistrates’ Court, a mile or two north of the City, where the Chief Magistrate of England and Wales dispenses justice. Minor cybercrime cases sometimes find their way to the City of London Magistrates’ Court (such as the ex-Harrods IT worker fined for trying to have a company laptop wiped before returning it) or get bumped up to Southwark Crown Court, as with the case of the serving judge accused of a computer misuse crime for viewing a case file.

The City’s own capacity for hearing cybercrime cases is very small, and (in anything other than PR terms) is largely meaningless, London being blessed with plenty of civil and criminal courthouses.

Capital geeks will know that the Royal Courts of Justice, the beautiful neo-Gothic court building on the Strand, opposite St Clement Danes Church, sits immediately outside the boundaries of the City of London, the admin district known as the Square Mile. Nonetheless, as the home of half the High Court, many corporate legal battles involving cyber matters are heard there. The Chancery Division, the other half of the High Court, is based inside the City in the Rolls Building, just around the corner from the RCJ.

The current Fleetbank House is an utterly uninspiring Brutalist box, erected before the post-war architectural vandalism movement had discovered angles other than 90^o. Appropriately, the building currently houses a clutch of minor government agencies, including the London tentacle of snatch-your-pint mob Public Health England. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/05/new_london_court_cyber_crime_centre/

Firefox and Chrome have removed a browser extension from their stores following revelations it was phoning home with users’ web-surfing histories.

The “Stylish” plug-in gained popularity because it let users configure sites’ appearance, rather than accepting the designers’ decisions.

However – stop us if you’ve heard this one before – the code changed hands last year and the new owners expanded its data slurping activities.

Software engineer Robert Heaton decided to take a look at what was being sent to Stylish’s owners, analytics company SimilarWeb, and was horrified.

As Heaton blogged, “HTTP requests that send a large blob of obfuscated data to a URL ending in /stats are almost never good news for users.”

While the SimilarWeb privacy policy for Stylish says it only collects anonymous data, Heaton found it was attaching an identifier to the data returned to the company.

“I looked closer at the decoded payload and noted a unique tracking identifier”, he wrote, adding “it only takes one tracking request containing one session cookie to permanently associate a user account with a Stylish tracking identifier. This means that Stylish and SimilarWeb still have all the data they need to connect a real-world identity to a browsing history, should they or a hacker choose to.”

Mozilla’s add-on assessors decided Stylish, as it now stands, is out of line and made the extension unavailable to Firefox users (although it requires manual removal for current users).

A post from Andreas Wagner was blunt about the reason: “We decided to block because of violation of data practises outlined in the review policy.”

Still popular after it’s gone

As you can see above, Stylish was popular enough to be a front-page search result for “Chrome extensions”, but it’s now gone from the Google extensions store.

The Register asked SimilarWeb for comment. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/05/browsers_pull_stylish_but_invasive_browser_extension/

Thunderbird has pushed code with fixes for a dozen security vulnerabilities – including the EFAIL encryption mess that emerged in May.

The EFAIL-specific fixes address two errors in Thunderbird’s handling of encrypted messages: CVE-2018-12372, in which an attacker can build S/MIME and PGP decryption oracles in HTML messages; and CVE-2018-12373, in which S/MIME plaintext can be leaked if a message is forwarded.

EFAIL was announced with a much-criticised process. The discoverers emphasised the issue’s exploitability to read messages encrypted with PGP and S/MIME – but the vulnerabilities were specific to client implementations.

Thunderbird users will therefore welcome news that the client has joined the list of EFAIL-safe email tools.

Thunderbird 52.9 also includes some critical-rated fixes. CVE-2018-12359 was a buffer overflow leading to a potentially exploitable crash: “A buffer overflow can occur when rendering canvas content while adjusting the height and width of the canvas element dynamically, causing data to be written outside of the currently computed boundaries.”

The other, CVE-2018-12360, is a use-after-free, also with a potentially exploitable crash: “A use-after-free vulnerability can occur when deleting an input element during a mutation event handler triggered by focusing that element.”

Security researcher Matt Nelson noticed that under Windows 10, users weren’t getting warned when they were opening executable SettingContent-ms files (CVE-2018-12368).

That bug meant “unsuspecting users unfamiliar with this new file type might run an unwanted executable. This also allows a WebExtension with the limited downloads.open permission to execute arbitrary code without user interaction on Windows 10 systems”.

Thunderbird also inherited some memory safety bugs from the Firefox code base, also fixed.

The program’s developers noted that many of the bugs aren’t directly exploitable in the e-mail client (scripting is disabled when you’re reading messages), but “are potentially risks in browser or browser-like contexts”. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/05/thunderbird_52_9_fixes_efail_crytpo_bug/

Remember when privacy advocates used to worry about Google scanning your email? Well now they have another problem on their hands: real people reading them.

We’re not talking about Google employees. We’re talking about developers in third-party companies, and in some cases the developers in other organizations that those companies partner with.

Google has a history of tussling with people over email privacy. It scanned emails for years, using what it gleaned from the text to target users with personalized advertisements. As early as 2004, privacy activists were urging it to stop, and the company has battled lawsuits from disgruntled users since then.

A year ago, it partially caved, announcing that it would stop using content from its consumer Gmail service to personalize ads, bringing it in line with an existing policy for its business accounts.

That doesn’t mean that the company stopped automatically reading your mail, though. In fact, Google spokespeople confirmed in May that the company still uses email content to help drive a range of other services.

Earlier this week, the story took another turn after the Wall Street Journal reported that third-party developers can read the emails of millions of Gmail users.

Many companies develop apps that need access to your mail for processing purposes. An AI-driven assistant might ask to read your mails to automatically book appointments for you, say. Other apps that might want access to your email include itinerary planners that scan travel emails for appropriate details. Google made this easier to do in 2014 when it created APIs to help third party developers access Gmail accounts.

There was always a caveat. Users had to agree to share that information first, granting explicit permission for an app to access your Gmail account or your broader Google account. However, what users may not have known is that this doesn’t only give the third party company’s software access to your email. It gives developers inside those companies the ability to manually access them too.

One such company, Edison Software, allowed employees to review emails from hundreds of users to help it build out new features in its software, the WSJ said. Developers at another company, email marketing optimization Return Path, read over 8,000 email messages as they tried to better train its software to distinguish between personal and commercial emails, the report added.

Google’s privacy policy says it may share information with third parties. However, the policy doesn’t explicitly say that humans may manually read those mails, and the opt-in message that it displays when you connect an external app to the service doesn’t say so either.

There’s another twist to the WSJ story. It explains that Return Path not only accesses emails when users sign up for its own apps, but also when they sign up for apps operated by other companies. These companies partner with Return Path via its Context.IO subsidiary, which collects email data to help it improve its services.

One such partner app is Earny, which scans users’ email for receipts and claims refunds to help them save money. This company works with Context.IO to provide it with access to their mails.

Earny complies with strict guidelines from Context.IO, which mandates that partner apps explain the relationship in their own privacy policies. The text, provided by Context.IO and reproduced on the Earny site, says in part:

If you use the Services, and connect your email account, Context.IO will have access to your Personal Information. Context.IO may use your Personal Information to operate, monitor and improve the Context.IO services and as otherwise stated in their own Privacy Policy.

It then gives the user the chance to opt out of Context.IO services by linking to a page on the Context.IO site.

Context.IO also demands that those partners display ‘just in time’ (JIT) notifications – popping up the notices just as users sign up – to try and ensure that they understand what’s happening. Return Path points all this out in its response to the WSJ.

It’s worth pointing out that Return Path only mandates the JIT notifications for EU users, leaving those outside that region to pore over privacy policies on partner web sites. At least one US-based Earny user interviewed by the WSJ had never heard of Return Path because she hadn’t read the Earny privacy policy.

She is far from the only person not to plough through a privacy policy or two when signing up for an online service. We could argue that users are responsible for all of this, but in practice they have faced years of complicated legalese that they tend to avoid. These transitive relationships seem to make things still more difficult.

Google gives you some privacy information when you grant a third party app developer access to your mail, but leaves you to deduce for yourself that humans may read your email too.

To properly protect yourself, it seems that you must then check that third party developer’s own privacy policy if you want to be sure about what it’s doing. You may then need to check still more privacy policies from other partners if you find that it is sharing your mail with them.

This raises several questions. Is it reasonable to expect users to go through this process? Is there a better way to handle it? Should Google be more clear about exactly what people can do with the information that it shares? Where does the user’s responsibility end and the app developer’s begin? What about the app developer’s partners?

Perhaps the first question Gmail users should ask, though, is who has access to their emails and other Google data today.

To find out, you can visit the accounts permissions page. It may explicitly list some apps as having email access, but be on the lookout for apps listed as having access to your Google account. These have permissions to read your email along with lots of other data that Google holds about you. If you decide that you’re not happy with this, you can revoke access.

Follow @NakedSecurity
Follow @dannybradbury

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/jh5Ia_p5Bz4/

There are so, so many reasons to block the Facebook annoyarati. As Ranker enumerates in its 15 reasons why they’re so annoying, they can be selfie-saturaters, romance oversharers, my life is SO GREAT!-ers, feed cloggers, or whining whiner babies, for example.

Annoying is one thing. On the other end of the spectrum are the dangerous or illegal social media accounts: the stalkers, the child predators, the trolls, the bots, the scammers. But they all have one thing in common. They deserve to be blocked, and Facebook users deserve the benefits of blocking them, as in, to be spared their grating or endangering presence.

Well, Facebook goofed on that front. On Monday, the company admitted that it’s notifying over 800,000 users about a bug in Facebook and Messenger that unblocked some people they’d blocked. Facebook Chief Privacy Officer Erin Egan said in a Facebook newsroom post that the glitch was active between 29 May and 5 June.

She said that while someone who was unintentionally unblocked couldn’t actually see content shared with friends, they could have seen things posted to a wider audience: for example, pictures shared with friends of friends.

This is the way blocking is supposed to work: Blocked people can’t…

• See things you post on your profile.
• Start conversations with you on Messenger.
• Add you as a friend.

Blocking people also unfriends them if you were previously friends. But in the case of this bug…

• 83% of people affected by the bug had only one person they had blocked temporarily unblocked. Facebook didn’t mention just how many shoulda-stayed-blocked-and-buried zombies arose to plague the other 17%, though.
• The shoulda-stayed-blocked ones may have been able to reach beyond the blocked grave to contact people on Messenger who had blocked them.
• On the plus side, the bug didn’t reglue people to friends they’d cut off.

The bug is now fixed, and “everyone has been blocked again,” Egan said. One assumes she meant that those who should have stayed blocked have been re-entombed. Those affected by the bug should have received a notification on Facebook encouraging them to check their blocked list.

Hopefully nobody suffered serious consequences due to the bug.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/A91ckqQgpj0/

At least two Samsung smartphone models have reportedly spontaneously started sending photographs to contacts without being asked to do so.

It’s never easy to tell how widespread smartphone problems are – forums are regularly filled with an assortment of issues – but the pattern of behaviour in anecdotal reports from US owners has a consistent ring to it.

Multiple images are said to have been sent to contacts without users being aware that it’s happening or having any indication after the fact in the Samsung Messages app.

One user claimed it sent his entire photo gallery to his girlfriend during the night, while another reported photographs had been sent to multiple contacts. Presumably, users find out when recipients tell them.

Judging from one Reddit thread, the affected devices are the latest Galaxy S9 and S9+, but it’s possible that other models are affected too.

What might cause such an issue – and how photographs could be sent to contacts – is a mystery.

A confusing aspect of the story is that the reports seem to coincide with US network T-Mobile turning on the Google-backed Rich Communication Services (RCS), the replacement for SMS text messaging being embraced by Android.

This is gradually being enabled by a handful of networks for certain smartphones. Reports suggest the problems started after the Messages app was recently updated, although others said the issue goes back as far as May.

However, according to T-Mobile’s schedule, the RCS update has only been applied to the Samsung Galaxy S7 and S7 Edge rather than the S9 or S9+.

That doesn’t, of course, mean an app update couldn’t be responsible, regardless of whether it has anything to do with RCS.

Given that users are reporting other problems when sending SMS messages after the update, that might be one explanation for what is going on.

If you are concerned, from Android 6.x onwards you can turn off the Messages app’s access to storage and camera in Settings Apps Permissions. This shouldn’t cause any problems for the app’s ability to send and receive SMS messages.

Alternatively, use a third-party app and set it as the default for the time being.

Frustratingly, until Samsung (or a mobile network whose subscribers have complained of the issue), issues a statement with some facts, this story remains one of low-level anecdote and speculation.

The only word from the phone maker so far:

We are aware of the reports regarding this matter and our technical teams are looking into it. Concerned customers are encouraged to contact us directly at 1-800-SAMSUNG.

Follow @JohnEDunn
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/TadtbIHw1C0/